AWS S3 bucket has global view ACL permissions enabled

Description

This policy detects whether AWS S3 buckets have global view ACL (Access Control List) permissions enabled. It aims to prevent buckets from being publicly accessible, which could occur if global read permissions are granted through its ACL settings.

Code Example

resource "aws_s3_bucket_acl" "example" {
  ...
  access_control_policy {
    grant {
      grantee {
        type = "Group"
-        uri  = "http://acs.amazonaws.com/groups/global/AllUsers"
      }
      permission = "READ_ACP"
    }
}

Remediation

Terraform

Resource: aws_s3_bucket_acl
Arguments: access_control_policy

Set your AWS S3 bucket ACL to private to avoid global view permissions. Do not use settings like public-read, public-read-write, or authenticated-read. Instead, use specific bucket policies and IAM roles to restrict access.

This example demonstrates how to modify your Terraform configuration to ensure the S3 bucket's ACL does not have global view ACL permissions.

Rule Details

Field	Value
ID	IAC-0422
Severity	LOW
IaC Type	Terraform
Frameworks	Terraform, TerraformPlan
Checkov ID	CKV_AWS_375

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

AWS S3 bucket has global view ACL permissions enabled

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

AWS S3 bucket has global view ACL permissions enabled ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

AWS S3 bucket has global view ACL permissions enabled

Description

Code Example

Remediation

Rule Details

References